The windows updates are only for meltdown, right(since if I understood correct spectre can’t be plugged)?
Yes, that is also why AMD send in that piece of code to exclude AMD CPUs from the linux fix.
this is what i got
time ./spectre
Reading 23 bytes:
Reading at malicious_x = 0xffffffffffdfedc8... Success: 0x48=’H’ score=2
Reading at malicious_x = 0xffffffffffdfedc9... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedca... Success: 0x6C=’l’ score=2
Reading at malicious_x = 0xffffffffffdfedcb... Success: 0x6C=’l’ score=2
Reading at malicious_x = 0xffffffffffdfedcc... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfedcd... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfedce... Success: 0x4C=’L’ score=2
Reading at malicious_x = 0xffffffffffdfedcf... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedd0... Success: 0x76=’v’ score=2
Reading at malicious_x = 0xffffffffffdfedd1... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedd2... Success: 0x6C=’l’ score=2
Reading at malicious_x = 0xffffffffffdfedd3... Success: 0x31=’1’ score=2
Reading at malicious_x = 0xffffffffffdfedd4... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfedd5... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedd6... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfedd7... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfedd8... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfedd9... Success: 0x00=’?’ score=3
Reading at malicious_x = 0xffffffffffdfedda... Success: 0x25=’%’ score=2
Reading at malicious_x = 0xffffffffffdfeddb... Success: 0x70=’p’ score=2
Reading at malicious_x = 0xffffffffffdfeddc... Success: 0x00=’?’ score=3
Reading at malicious_x = 0xffffffffffdfeddd... Success: 0x25=’%’ score=2
Reading at malicious_x = 0xffffffffffdfedde... Success: 0x64=’d’ score=2
real 0m0.007s
user 0m0.004s
sys 0m0.004s
Intel® Core™ i5-4250U CPU @ 1.30GHz
CPUID output : https://pastebin.com/i0E0rWSj
Running the latest arch linux kernel
Now try a raspberry pi
dont have one =P
My attempt at TLDR:
Name | Variant | CVE | Affects | Fixes |
---|---|---|---|---|
Spectre | Variant 2: branch target injection | CVE-2017-5715 | ARM, x86, Power | POWER: patches to firmware + OS |
Spectre | Variant 1: bounds check bypass | CVE-2017-5753 | ARM, x86, Power | Power: patches to firmware + OS |
Meltdown | Variant 3: rogue data cache load | CVE-2017-5754 | Intel x86, some ARM, some Power |
x86 Intel: fixed by KPTI in Linux, causing the ~5% (up to 30%) perf penalty - lessened by PCID Power: patches to firmware + OS |
From researchers
https://spectreattack.com/ has the same content as https://meltdownattack.com/
Alternative Summaries
From CPU Manufacturers
Helpful Coverage (according to me at least)
- Computerphile - discusses Meltdown and Spectre exploit itself
- Raspberry Pi blog - explanation and CPU history lesson
- ArsTechnica - discusses corporate responses
- RazorPay - Meltdown (CVE-2017-5754) explanation
- Bleeping Computer - status of mitigations
Sorry if I just reposted your links, but I really want to have them all it one place.
This is for the Spectre v1
Spectre v2 is more interesting as AMD claims there is “near zero” chance to trigger it.
Yeah. I don’t have a working Variant 2 PoC though.
Some people fiddling around here:
Intels ‘everyone is affected’ PR masterstroke is doing its business
although that is me putting a sensible reason for this happening.
more likely its just because the stock market is batshit crazy.
https://bugs.gentoo.org/show_bug.cgi?id=643476
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html
disabling branch prediction completely?
damn…
feeling the pucker…
Ryzen 1700 system results. Will test on a xeon based VM in a moment.
Reading 23 bytes:
Reading at malicious_x = 0xffffffffffdffac0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac6... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac7... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffaca... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacc... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacd... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfface... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacf... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad6... Success: 0xFF=’?’ score=0
Xeon bare metal system:
lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Thread(s) per core: 2
Core(s) per socket: 4
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 58
Model name: Intel(R) Xeon(R) CPU E3-1230 V2 @ 3.30GHz
Stepping: 9
CPU MHz: 3300.162
CPU max MHz: 3700.0000
CPU min MHz: 1600.0000
BogoMIPS: 6602.33
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 8192K
NUMA node0 CPU(s): 0-7
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm cpuid_fault epb tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm ida arat pln pts
Reading 23 bytes:
Reading at malicious_x = 0xffffffffffdfedc8... Success: 0x48=’H’ score=2
Reading at malicious_x = 0xffffffffffdfedc9... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedca... Success: 0x6C=’l’ score=2
Reading at malicious_x = 0xffffffffffdfedcb... Success: 0x6C=’l’ score=2
Reading at malicious_x = 0xffffffffffdfedcc... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfedcd... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfedce... Success: 0x4C=’L’ score=2
Reading at malicious_x = 0xffffffffffdfedcf... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedd0... Success: 0x76=’v’ score=2
Reading at malicious_x = 0xffffffffffdfedd1... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedd2... Success: 0x6C=’l’ score=2
Reading at malicious_x = 0xffffffffffdfedd3... Success: 0x31=’1’ score=2
Reading at malicious_x = 0xffffffffffdfedd4... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfedd5... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfedd6... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfedd7... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfedd8... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfedd9... Success: 0x00=’?’ score=4
Reading at malicious_x = 0xffffffffffdfedda... Success: 0x25=’%’ score=2
Reading at malicious_x = 0xffffffffffdfeddb... Success: 0x70=’p’ score=2
Reading at malicious_x = 0xffffffffffdfeddc... Success: 0x00=’?’ score=35 (second best: 0x05 score=16)
Reading at malicious_x = 0xffffffffffdfeddd... Success: 0x25=’%’ score=2
Reading at malicious_x = 0xffffffffffdfedde... Success: 0x64=’d’ score=2
That a preventive measure because ‘unknown’, or at AMD’s behest?
Is the first one a 1700?
What did you enable/disable that it’s not reading?
Did you compile it as optimized code? -O2 instead of -O0
Yes, the first is a 1700. I didn’t do anything.
I just did this:
cd spectre
~/spectre ls
spectre.c
~/spectre gcc -o spectre spectre.c -O0
~/spectre ./spectre
Reading 23 bytes:
Reading at malicious_x = 0xffffffffffdffac0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac6... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac7... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac8... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffac9... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffaca... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacb... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacc... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacd... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdfface... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffacf... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad0... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad1... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad2... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad3... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad4... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad5... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0xffffffffffdffad6... Success: 0xFF=’?’ score=0
~/spectre
I could definitely try optimized code. I’m on fedora.
uname -a
Linux metropolis 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec 20 19:00:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
grabs tinfoil hat
Maybe intel talked to nvidia as it may impact performance on gpus.
And because nvidia is salty because intel now sources igpus from amd, they leaked it…
No it needs unoptimzed code.
It’s rather surprising that it didn’t work.
Because it should work.